To ensure that multicast services are correctly transmitted on networks, PIM security is implemented to limit the valid BSR and C-RP address ranges, filter packets, and check PIM neighbors.
Table 1 lists the security features supported by PIM-DM.
PIM-DM Security Feature |
Purpose |
Principle |
Applicable Device |
Protected Device |
|---|---|---|---|---|
PIM neighbor filtering |
Some unknown devices on a network may set up PIM neighbor relationships with a multicast router and prevent the multicast router from functioning as a DR. This function is used to prevent a multicast router from setting up PIM neighbor relationships with unknown devices and prevent an unknown router from becoming a DR. |
An ACL and filtering rules can be configured to enable interfaces to set up neighbor relationships only interfaces with valid addresses and to delete neighbors with invalid addresses. |
All multicast devices on a network |
All multicast devices on a network |
Join information filtering |
A Join/Prune message received by an interface contains both join and prune information. This function is used to filter join information to prevent unauthorized users from joining multicast groups. |
An ACL and filtering rules can be configured to filter join information. Devices create PIM entries based on valid Join information. |
All multicast devices on a network |
All multicast devices on a network |
Source address-based filtering |
This function enables a device to filter multicast data packets based on source or source/group addresses, ensuring the security of multicast data packets. |
An ACL and filtering rules can be configured to enable devices to forward multicast packets carrying source or source/group addresses within the valid source or source/group address range. |
All multicast devices on a network |
All multicast devices on a network |
PIM neighbor check |
This function guarantees the security of Join/Prune or Assert messages received or sent by devices. |
When receiving or sending Join/Prune or Assert messages, a device checks whether the messages are sent to or received from a PIM neighbor. If these messages are not sent to or received from a PIM neighbor, these messages will be discarded. |
All multicast devices on a network |
All multicast devices on a network |
PIM silent |
This function is used to protect interfaces of devices against pseudo PIM Hello packets. |
The interface is not allowed to receive or forward any PIM packets and all PIM neighbor relationships established by this interface are deleted. |
Interface directly connected to the user host network segment that is connected to only one PIM device. |
PIM devices directly connected to user host network segments. |